Now, we are continuity planners. The whole business is involved, not just in recovering the data processing department, or contingencies, or resumption, but in the continuity of the business. There is more need for involvement of business units and upper management. So where does Continuity Planning belong in the organization? I believe it belongs in the Strategic Planning area and we should be looking at the strategic plan.
The strategic plan for the business is a tool used by upper management to plan the long-term continuity of the business. Each year upper management goes to great lengths to set up or improve the company’s mission and strategies for the future. The strategic time period is usually three to five years. Some companies try for a longer time frame, but in our present world of computer processors doubling in speed every 18 months the usual frame is five years. Strategies are then broken down into yearly goals known as tactics. Budgets are then assigned to tactical plans for the next year.
This all sounds very familiar. Mission, Strategies, and Tactics are not the words we use, but maybe they should be. They are related to Purpose, Risk/Threat Analysis, Business Impact Analysis, and Mission-Critical Systems. Since we are concerned now with the ideas of business continuity and this continuity is multi-year planning, we should be involved in the strategic plan. How can we be part of the strategic process? Let us start with Strategic Continuity Planning.
Strategic Continuity Planning is a new way of using old tools from both Business Continuity Planning and Strategic Planning. What we want from the outcome of Strategic Continuity Planning would be a Continuity Plan tied to the company’s Strategic Plan.
This sounds hard? So did the idea of taking the steps from DRP to Contingency Planning to Resumption Planning to Continuity Planning when they were first broached. However, we have two planning processes that are well defined. All that needs to be done here is to compare and couple some of the steps involved. Let us look at some of these components that we as Continuity Planners can become involved in.
We often talk about mission –critical applications, but we seldom talk about the mission part of those applications. The company has a mission. The two places we can usually find the mission statement are the annual reports to stockholders and the strategic plan. We usually read neither of these items. How can we know what is mission-critical without knowing what is the company’s mission?
So the first tool in melding Continuity Planning into the Strategic Planning process is to look at the Mission Statement of the company. Below is an example from a university:
The University’s primary mission is to advance, transmit, and sustain knowledge and understanding through the conduct of teaching, research, and scholarship at the highest international standards for the benefit of the international and national communities and the state….
My first impression is that mission-critical would not include an athletic database. The likely candidates for mission-critical would be academic and research data, systems and auxiliary systems, hard data to the subjects. So, the mission statement says a lot about where to start in our planning. As a matter of fact, it is a good place to start wrapping the Continuity Plan around the Strategic Plan. We usually start with a purpose or mission in our plan. This is our focus just like the Mission Statement is the focus of the Strategic Plan. The strategic planners do not stray outside the mission of the company to create their plan. We work within our purpose or mission in our plans. If we are doing continuity planning on the company, we can use the strategic mission statement as our focus. We can wrap the continuity mission or purpose around the mission statement as follows:
The Strategic Continuity Plan will support the University in its primary mission by providing a plan for continuous operations in time of interruption.
Using this purpose for the Continuity Plan puts us at the Business and Strategic level. When we use the other tools described here we will be on the strategic level of the business. That is where we must be in our future dealings with Executive Arrangement.
Financial Tools. Our next stop on the tour of a strategic plan would be the tools used to create the strategies. The first one that most strategic planners use are accounting or finance tools. These are the current ratio, quick ratio, return on investment, return on equity, etc. A financial measure we use is ALE, annual loss exposure. How do we put our loss estimates into line with the strategic financial tools? A simple example would be return on investment (ROI). ROI is a measure of profitability. It is the percentage of the net earnings attributed to total assets or the percentage of earnings that was contributed to the company by all the assets the company owns (e.g., machines, buildings, equipment).
Our measurement, ALE, is the less attributed to uncontrolled vulnerabilities such as earthquakes, tornadoes, or, most common of all power failure and unintentional employee sabotage. Add a frequency value - once, twice, three times a year or more - and we have our Risk Exposure (RE). So, how do we show what could happen in financial terms to uncontrolled risk. We can show this in the strategic numbers by subtracting the RE from the Net Earnings. This would show all across the budgeted financial calculations. To see the impact we can take an example with the ROI described above.
ROI = Net Earnings/Total Assets
Say Net Earnings are $5,000,000
Total Assets are $50,000,000
And Risk Exposure involves 4 power outages a year at loss estimate of 50 hours at $5,000 per hour or 50 X $5,000 X 4= $1,000,000
Without the RE taken into account, the percentage would be:
ROI = $5,000,000 / $50,000,000 = 10%
The ROI with RE would be:
ROI = (5,000,000-1,000,000) / 50,000,000 = 8%
If this calculation is not convincing to Senior Management, then nothing could convince them that planning for loss control would be worthwhile. This is just the tip of the iceberg financially speaking. Think of what Risk Exposure does to liquidity, leverage, and activity ratios. By working on the strategic level, we can point out where the future loss estimates could cause problems and vulnerabilities. Projecting what could happen with these financial ratios tied to the Risk Exposure, and projecting risk out through the strategic plan’s life would show a clearer picture of why we need to have Continuity Planning.
In table 1 we have several financial indicators that are used in strategic planning. They are broken down into several categories such as liquidity and returns. They have been modified to add the RE component. If we do the math, it shows the importance of the risk exposure factor (see table 1).
Note that the ratios in this table are only examples. There are many more accounting ratios that are used in strategic planning which can be adjusted by our Risk Exposure for use in our Strategic Continuity Plan.
The SWOT Analysis. Financial equations are only one of the many tools that can show why we need Strategic Continuity Planning. Another set of tools, the marketing tools, can show us not only why, but also with what to work. The first marketing analysis tool that would be useful is the SWOT analysis. SWOT stands for Strengths, Weaknesses, Opportunities and Threats.
We have all worked with threat in our Risk/Threat analyses. Risk is the potential for a loss. As seen before, in the financial analysis, we try to quantify that loss possibility. A Threat is the trigger that causes a risk to become a loss. Threats we have thought about are power, weather, sabotage, and equipment failure. Threats in the case of strategic planning are outside forces that could cause problems to the company. These include labor ,competition, spying, regulations, market evaporation, and competitors coming out with a better product or taking a larger market share.
Opportunities are also external to the company. They are the openings that a company can take advantage of to create or expand market share. These can include new markets for present or old products, new product development, less competition, and less regulation. We seldom think about opportunities when we think Continuity Planning, but we should.
We can look at the opportunities and threats analysis as the Strategic Risk/Threat Analysis. What are the threats to the company? They are not internal and local. They must be the external. They are triggers to external risks.
Marc Reich, MBCP, CDP is a Disaster Recovery consultant for Inteliant Corporation. He has worked on disaster recovery planning in government, industry, healthcare, and small business for many years. His background includes over 20 years in Data Processing with 10 years in consulting. Mr. Reich can be reached by e-mail at email@example.com.
Part Two of this series will appear in the upcoming Summer 1999 issue of DRJ.